Page MenuHomePhabricator
Create Task
Maniphest T309959

Rewriting HTTP as HTTPS or bad opportunistic TLS in links
Closed, DeclinedPublicBUG REPORT
Actions

Description

As per https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)#http_url_wrongly_rewritten_as_https_in_href_for_icecast.rte.ie

Issue
In an attempt to use TLS with external sites where possible, MW rewrites HTTP to HTTPS for all links to names rooted in those on a certain list maintained by Chromium.org.

This strategy fails in two respects:

  • forcing TLS where it is not available, as with icecast.rte.ie
  • not using TLS where it is available, as with www.gnu.org

Furthermore, what security it does provide is already matched exactly by many popular browsers.

Solution
I suggest each MW site generate its own list of hosts it has successfully contacted by HTTPS from those it links to. This would more accurately force TLS for those that support it, while not doing so for those that don't.

I also suggest including some wikitext to stop links from being rewritten.

Opinion
I believe that hobbling authors by refusing to respect what URL they specify flies in the face of Internet and Web standards and degrades any project engaged in such practices.

Related Objects

Event Timeline

antichrome created this task.Jun 6 2022, 6:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2022, 6:46 AM
antichrome added a comment.Jun 6 2022, 7:02 AM
This comment was removed by antichrome.
antichrome triaged this task as Medium priority.Jun 6 2022, 7:06 AM
antichrome updated the task description. (Show Details)
antichrome added a project: MediaWiki-extensions-SecureLinkFixer.
antichrome updated the task description. (Show Details)Jun 6 2022, 7:22 AM
antichrome added a project: MediaWiki-General.
antichrome updated the task description. (Show Details)Jun 6 2022, 9:39 AM
antichrome added a comment.EditedJun 6 2022, 12:28 PM

Note: It is important that HSTS should be completely disregarded, and only HTTPS considered. E.g. if you request https://en.wikipedia.org/ and do not follow the location header (which is to the same domain), you will not receive the strict-transport-security header. (Seriously! Well, I didn't, anyway.) HSTS itself is so badly designed and badly implemented that the safest bet is to ignore it entirely. The same comments apply to the list.

antichrome added a comment.EditedJun 6 2022, 12:42 PM

Suggestions for wikitext:

  • <nohttps> tag by analogy with <nowiki> tag
  • rewrite force-http to http
  • rewrite <force>http or <forcehttp> or some other weird macro to http (could make future changes to parsing easier)
antichrome updated the task description. (Show Details)Jun 6 2022, 12:44 PM
Legoktm closed this task as Declined.Jun 7 2022, 4:50 AM
Legoktm subscribed.

In an attempt to use TLS with external sites where possible, MW rewrites HTTP to HTTPS for all links to names rooted in those on a certain list maintained by Chromium.org.

Crucially, these websites have explicitly *asked* Chromium to be included in that list by virtue of adding the preload tag to their HTTP headers.

This strategy fails in two respects:

  • forcing TLS where it is not available, as with icecast.rte.ie

This website misconfigured their HSTS unfortunately, and still hasn't gotten it fixed in the Chromium/Firefox lists. Whenever that happens, MediaWiki will pick up the change and roll it out within a month-ish. That's roughly what's to be expected in the HSTS guidelines.

  • not using TLS where it is available, as with www.gnu.org

This is the status quo, so it's not really a loss.

Furthermore, what security it does provide is already matched exactly by many popular browsers.

Indeed, so we're not doing anything unique here. But there is a shrinking set of users who use browsers that don't support HSTS, and this provides a very small security benefit for them. Given the low complexity of SecureLinkFixer, it seems like a good win. Maybe in a few years we can turn off SecureLinkFixer, that would be pretty cool.

In T309959#7982486, @antichrome wrote:

Note: It is important that HSTS should be completely disregarded, and only HTTPS considered. E.g. if you request https://en.wikipedia.org/ and do not follow the location header (which is to the same domain), you will not receive the strict-transport-security header. (Seriously! Well, I didn't, anyway.)

What?

curl -I 'https://en.wikipedia.org/' | grep strict
strict-transport-security: max-age=106384710; includeSubDomains; preload

HSTS itself is so badly designed and badly implemented that the safest bet is to ignore it entirely. The same comments apply to the list.

No thanks.

In T309959#7982503, @antichrome wrote:

Suggestions for wikitext:

  • <nohttps> tag by analogy with <nowiki> tag
  • rewrite force-http to http
  • rewrite <force>http or <forcehttp> or some other weird macro to http (could make future changes to parsing easier)

No thanks, the whole point of this is to do transparent rewrites.

Xaosflux subscribed.Jun 9 2022, 1:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL